US20160119336A1 - System and method for hardware-based trust control management - Google Patents

System and method for hardware-based trust control management Download PDF

Info

Publication number
US20160119336A1
US20160119336A1 US14/990,078 US201614990078A US2016119336A1 US 20160119336 A1 US20160119336 A1 US 20160119336A1 US 201614990078 A US201614990078 A US 201614990078A US 2016119336 A1 US2016119336 A1 US 2016119336A1
Authority
US
United States
Prior art keywords
trust
value
machine
hardware
management method
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US14/990,078
Other versions
US9674183B2 (en
Inventor
Michael J. Dyer
José E. Gonzalez
Albert Caballero
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Trapezoid Inc
Original Assignee
Trapezoid Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Trapezoid Inc filed Critical Trapezoid Inc
Priority to US14/990,078 priority Critical patent/US9674183B2/en
Publication of US20160119336A1 publication Critical patent/US20160119336A1/en
Priority to US15/601,551 priority patent/US10305893B2/en
Application granted granted Critical
Publication of US9674183B2 publication Critical patent/US9674183B2/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • Shared cloud computing technologies are designed to be very agile and flexible, transparently using available resources to process workloads for their customers.
  • security and privacy concerns with not knowing the integrity, identity and location of the physical devices that make up a cloud platform, and allowing unrestricted workload migration among the servers that comprise an unverified cloud platform and across such unverified cloud platforms.
  • Whenever multiple workloads are present on a multi-server cloud platform there is a need to segregate those workloads from each other so that they do not interfere with each other, gain access to each other's sensitive data, or otherwise compromise the security or privacy of the workloads.
  • two rival companies with workloads on the same cloud platform each company would want to ensure that the servers housing their workloads are trusted to protect their information from the other company as well as any other unauthorized access.
  • Another concern with shared cloud computing is that workloads could move from servers in a cloud platform located in one country to servers in a cloud platform located in another country.
  • Each country has its own laws for data security, privacy, and other aspects of information technology (IT). Because the requirements of these laws may conflict with an organization's policies or mandates (e.g., laws, regulations), an organization may decide that it needs to restrict which cloud platform it uses based on its specific location.
  • a common desire is to only use cloud platform with servers physically located within the same country as the organization.
  • Forming trusted computing pools is a leading approach to aggregate trusted systems and segregate them from untrusted resources. This allows for the separation of higher-value, more sensitive workloads from commodity applications and data.
  • the principles of operation are to: (1) Create a cloud platform to meet the specific and varying security requirements of users; (2) Control access to that cloud platform so that only the right applications get deployed there; and (3) Enable audits of the cloud platform so that users can verify compliance.
  • trusted computing pools allow IT to gain the benefits of the dynamic cloud environment while still enforcing higher levels of protections for their more critical workloads.
  • the ultimate goal is to be able to use trusted verification and identification methodologies for deploying and migrating cloud workloads between and among trusted servers within a cloud platform.
  • Current thinking has identified certain prerequisite steps, which can be thought of as staged requirements that a trusted cloud platform solution must meet:
  • the cloud platform includes servers each with a hardware configuration (e.g., BIOS settings) and a hypervisor configuration.
  • the hypervisor operates directly on the hardware, not on top of another operating system, thus it is imperative to show that the hypervisor has not been compromised and that it is the designated version and configuration.
  • the server Before the server is used for workloads, its trustworthiness must be verified (measured).
  • the items configured in the BIOS and hypervisor need to have their configurations verified before launching the hypervisor to ensure that the assumed level of trust is in place.
  • the next stage requires that cloud workloads are able to be migrated among homogeneous trusted server platforms within a cloud environment.
  • This stage allows cloud workloads to be migrated among homogeneous trusted server platforms within a cloud environment, taking into consideration geolocation restrictions.
  • TXT Intel® Trusted Execution Technology
  • TXT implements a foundation for establishing a Transitive Chain of Trust (TCoT) that is rooted in hardware.
  • ToT Transitive Chain of Trust
  • Each module within the chain has an opportunity to examine and measure the next module, prior to that module's execution.
  • IM Integrity Measurements
  • TPM Trusted Platform Module
  • TXT provides a method for introducing a user-defined value into the chain of evidence by storing that value in a specific secured NVRAM index with the TPM.
  • the current art is to write the identical user-defined value into the TPM NVRAM index of a group of servers to designate a logical grouping or pool.
  • Common terms for this method are “Geotag”, “Geolocation” and “Geofence” because historically the first user-defined values used in demonstrating this capability were geographic in nature.
  • a country code or Geotag is encrypted using a SHA1 function and the resulting Geotag value is stored in the TPM NVRAM index, e.g. SHA1 (“USA”).
  • the Trusted Boot (TBOOT) module that initializes the BIOS uses a “TPM EXTEND” function to Extend the TPM NVRAM index Geotag value into Platform Configuration Register (PCR) 22. To validate the Geotag, the value in PCR22 is compared with an externally maintained lookup table.
  • TPM EXTEND Platform Configuration Register
  • the value placed into the TPM NVRAM index could be any arbitrary value because the lookup table only validates against the resulting PCR22 value.
  • the PCR Extend operation is not part of the validation.
  • TXT includes an additional mechanism termed “Launch Control Policy” (LCP), which allows the Platform Supplier (the manufacturer) and the Platform Owner (customer) each to specify requirements for a Secure Operating System Launch.
  • LCP policies contain specifications of valid Platform Configurations (PCONF policy), Operating System Versions (Measured Launch Environment, or MLE policy) and Authenticated Code Module (ACM) versions (SINIT policy).
  • PCONF policy Platform Configurations
  • MLE policy Operating System Versions
  • ACM Authenticated Code Module
  • the LCP values are protected using features of the TPM and are compared against measured PCR and ACM values to determine Platform and Operating System trust.
  • LCP provides a “go/no-go” mechanism for Secure Operating System Launch as well as providing enhanced protection against reset attacks and the ability to restrict access to specific TPM keys, data and resources.
  • Creating a Launch Control Policy can be a complex process and challenging to maintain. Given that the LCP process is a binary “go/no go” function, it can also be difficult to determine the root cause of LCP failures because the resulting inability to achieve Secure OS Launch is always the same. Moreover, depending on implementation, not all parts of LCP are included as part of the TCoT measurements, therefore it is possible for LCP to change and not impact the TCoT measurements.
  • a trust control management method for security in cloud computing operable on a computer system, comprises:
  • Trust ID value a unique encoded alphanumeric value
  • the method of generating and comparing the newly encoded Trust ID value with the original user-stored Trust ID value provides more robust and foolproof verification of the trust status of the user's computer system by encoding both user-defined values and hardware-specific values and storing the originally encoded Trust ID value in the hardware of the user's computer system.
  • the user-defined data may include a value associated with the geographical location where the user's computer system is to be deployed in order to define its grouping with the trusted computing pool associated with that geolocation.
  • the hardware-specific values may include values associated with a given version of firmware, BIOS, ROM, or other embedded code (collectively “firmware”) present on the hardware.
  • the creation of the Trust ID value may be carried out without the knowledge of the person storing the Trust ID value on the user's computer hardware as a precaution against security penetration and spoofing.
  • FIG. 1 illustrates a basic process for a TXT launch of a computer system.
  • FIG. 2 illustrates an example of attestation of a trusted launch of a computer platform grouped in a trusted computing pool.
  • FIG. 3 illustrates a current model for attestation and whitelist management following the Attestation Service (AS) architecture.
  • AS Attestation Service
  • FIG. 4 illustrates a provisioning tool for extending a user defined value to a server TPM chip.
  • FIG. 5 illustrates a sample geotag use case
  • FIG. 6 illustrates a Trust Control Suite (TCS) that combines the functions of attestation and geotagging in a preferred embodiment of the present invention.
  • TCS Trust Control Suite
  • FIG. 7 illustrates the preferred TCS modular architecture.
  • FIG. 8 illustrates the Trust ID creation and validation process.
  • FIG. 9 illustrates sample Seed Values used to encode a Trust ID.
  • FIG. 10 illustrates a sample algorithm for generating a Trust ID value.
  • FIG. 11 illustrates sample Trust ID creation and provisioning process.
  • FIG. 12 illustrates a sample of creating a Trust ID from Seed Values.
  • FIG. 13 illustrates a sample of verifying a Trust ID.
  • FIG. 14 illustrates a sample of verifying a Trust ID from Seed Values.
  • FIG. 15 illustrates a sample of using a Trust ID for hardware-based attestation.
  • FIG. 16 illustrates a sample of using a Trust ID for geotagging.
  • FIG. 17 summarizes the overall architecture of the Trust Control Suite as used for security in virtualized environments.
  • a computer or computing resource commonly includes one or more input devices electronically coupled to a processor for executing one or more computer programs for producing an intended computing output.
  • the computer is typically connected as a computing resource and/or communications device on a network with other computer systems.
  • the networked computer systems may be of different types, such as remote PCs, master servers, network servers, and mobile client devices connected via a wired, wireless, or mobile communications network.
  • Internet refers to a structure of global networks connecting a universe of users via common or industry-standard protocols. Users having a connection to the Internet commonly use browsers on their computers or client devices to connect to websites maintained on web servers that provide informational content or business processes to users.
  • the Internet can also be connected to other networks using different data handling protocols through a gateway or system interface, such as wireless gateways to connect Internet websites to wireless data networks.
  • Wireless data networks are deployed worldwide and allow users anywhere to connect to the Internet via wireless data devices.
  • Attestation The process of vouching for the accuracy of information. External entities can attest to shielded locations, protected capabilities, and Roots of Trust. A platform can attest to its description of platform characteristics that affect the integrity (trustworthiness) of a platform. Both forms of attestation require reliable evidence of the attesting entity.
  • Authenticated Code Module (ACM): a digitally signed module validated by the processor before execution.
  • AS “Attestation Service”: a service procedure for attestation of a trusted launch of a computer platform grouped in a trusted computing pool.
  • BIOS Basic Input/Output System
  • DCoT Dynamic Chain of Trust
  • GRC governance, risk management, and compliance
  • GRC is the umbrella term covering an organization's approach across the areas of governance, risk management, and compliance.
  • IM Intelligent Measurement
  • ISV An independent software vendor company specializing in making or selling software, designed for mass or niche markets.
  • ISV Product A product from an independent software vendor.
  • OS An operating system (OS) is a collection of software that manages a computer's hardware resources and provides common services for computer programs.
  • Hypervisor A hypervisor or virtual machine monitor (VMM) is a piece of computer software, firmware or hardware that creates and runs virtual machines.
  • a computer on which a hypervisor is running one or more virtual machines is defined as a host machine. Each virtual machine is called a guest machine.
  • the hypervisor presents the guest OS with a virtual operating platform and manages the execution of the guest operating systems. Multiple instances of a variety of OSs may share the virtualized hardware resources.
  • PCR Plate Configuration Register
  • Policy Management The process of enforcing the rules and regulations (policies) of an organization that pertain to information and computing.
  • Remote Attestation means for one system to make reliable statements about the software it is running to another system.
  • RoT Room of Trust: In a TXT environment, the component (microprocessor) which serves as the trusted component that begins the measurements necessary to establish a chain of trust.
  • RTM Root of Trust for Measurement
  • SIEM Security Information and Event Management
  • SIM security information management
  • SEM security event manager
  • Static Chain of Trust (SCoT): A set of Transitive Trust Integrity Measurements that start when the platform powers on.
  • ToT Transitive Chain of Trust
  • Transitive Trust also known as “Inductive Trust”
  • the Root of Trust gives a trustworthy description of a second group of functions. Based on this description, an interested entity can determine the trust it is to place in this second group of functions. If the interested entity determines that the trust level of the second group of functions is acceptable, the trust boundary is extended from the Root of Trust to include the second group of functions. In this case, the process can be iterated. The second group of functions can give a trustworthy description of the third group of functions, etc. Transitive trust is used to provide a trustworthy description of platform characteristics, and also to prove that non-migratable keys are non-migratable.
  • Trust Aware Proxy A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients devices seeking resources from other servers.
  • a Trust Aware Proxy is a proxy server that is aware of the integrity and identity of the computer systems to which the Trust Aware Server is connecting.
  • Trust Aware App A software application that is aware of the integrity and identity of the computer system that is running the specific application.
  • TCS Threat Control Suite
  • TXT Trusted Execution Technology
  • TPM Trusted Platform Module
  • User an individual user, business entity, public sector agency, and/or service provider to such entity or agency using a specific computer system.
  • the trust control management system and method provides a processor-based, tamper-resistant environment that compares user-defined values and hardware-specific values, such as firmware, BIOS, and/or operating system values, to compute a Trust ID value and compare it to a previously computed and stored (“known good”) Trust ID value to establish a that a computer system is operating in a measured, trusted state within a trusted computing pool. If integrity and trust are not verified, the trust control management suite identifies that the system is not behaving as expected, and follows the proper embedded policy or policies to protect the computer system and/or the trusted computing pool to remediate the problem.
  • hardware-specific values such as firmware, BIOS, and/or operating system values
  • FIG. 1 illustrates a basic process for a TXT launch of a computer system.
  • processor microcode 11 starts a chain of measurements 12 and security checks, which include the BIOS, BIOS Authenticated Code Module (“ACM”), Option ROMs, Master Boot Record and OS Loader.
  • This chain of measurements 12 is referred to as the Static Chain of Trust (SCoT).
  • SCoT Static Chain of Trust
  • TCG Trusted Computing Group
  • TPM Trusted Platform Module
  • the Dynamic Chain of Trust (DCoT) then begins with a special processor instruction that looks at the OS/Hypervisor 13 and starts a chain measurements 14 and security checks of the SINIT ACM and key operating system (OS) components.
  • the LCP Engine is invoked by the SINIT ACM to validate the operating system components against any policy defined by the Platform Supplier or the Platform Owner.
  • the DCoT measurements are stored within the Trusted Platform Module (TPM).
  • TPM Trusted Platform Module
  • a Remote Attestation Mechanism is used to securely expose the measurements 15 of the full Transitive Chain of Trust (TCoT) that are stored in the TPM to outside entities.
  • the TXT launch can evaluate and report on platform integrity using attestation mechanisms, it can provide valuable insights and controls when used in the context of cloud computing platforms. This allows other key software—hypervisor, cloud orchestration and management, and security policy applications—to understand and use platform integrity attributes to control workloads and data and better address security risks by keeping sensitive or regulated workloads separate from platforms with unknown integrity status.
  • FIG. 2 illustrates an example of attestation of a trusted launch of TXT-enabled platforms and possible non-TXT-enabled platforms grouped in a trusted computing pool.
  • An ISV Product needing to know whether it is addressing a trusted computing pool sends a Platform Trust Status request 21 to an Attestation Service (AS), which accesses a Remote Attestation Mechanism (in FIG. 1 ) for computers grouped in the trusted computing pool.
  • the AS sends a request 22 for Integrity Measurements (IM) to the computer platforms.
  • Each platform must send a reply 23 with its IM values.
  • the AS validates the IM against a Whitelist Database (DB) 24 of known-good values, and provides the definitive answers 25 to the above two key security questions to the ISV Product server.
  • DB Whitelist Database
  • the AS will require Roots of Trust implementation of a hardware-based trust-enabled OS or Hypervisor.
  • Each polled platform has to have a Root of Trust Measurement (RTM) that is implicitly trusted to provide an accurate measurement, which TXT provides.
  • RTM Root of Trust Measurement
  • the platform also has to have a Root of Trust for Reporting (RTR) and a Root of Trust for Storage (RTS), which the Trusted Platform Module (TPM) provides.
  • RTM Root of Trust Measurement
  • RTS Root of Trust for Storage
  • Attestation is the process of providing a digital signature of a set of platform configuration registers (PCRs)—a set of registers in a TPM that are extended with specific measurements for various launch modules of the software—and having the requestor validate the signature and the PCR contents.
  • the entity wishing to validate the values in the TPM requests these using the TPM_Quote command.
  • This command specifies an Attestation Identity Key to perform a digital signature of the quote, and a NONCE to ensure freshness of the digital signature.
  • the entity that challenged this information from the TPM can now make a determination about the trust of the platform by comparing the measurements contained in the TPM quote with “known good” or “golden” measurements.
  • FIG. 3 illustrates a current model for attestation and whitelist management following a suggested Attestation Service (AS) architecture.
  • the Whitelist Setup Process proceeds as follows: establish baseline reference values; create a Whitelist; import the Whitelist into the AS; the AS stores whitelist values in a database.
  • an ISV Product software sends a request 31 for the platform trust status from the Attestation Service (AS).
  • AS Attestation Service
  • the AS requests the Integrity Measurements (IM) from each computer platform via Remote Attestation, and the platform responds with the integrity measurements.
  • the AS validates the integrity measurements against its Whitelist of known-good values.
  • the AS attests to the trustworthiness of the platforms in the trusted computing pool to the ISV Product server.
  • the disadvantages of the software-only Whitelist are that the whitelist values are ONLY recorded in software and are potentially subject to invalid updates, corruption or alteration; it employs multiple Attestation Service components; the OS/Hypervisor or Hypervisor Manager are intermediaries between the TPM and the AS; and successful attestation may not match actual intended values for a specific device.
  • Managing the “known good” values for different hypervisors, operating systems, and BIOS software versions, and ensuring they are protected from tampering and spoofing, is a critical IT operations challenge. This capability can be internal to a company, managed by a service provider, or delivered remotely as a service by a trusted third party.
  • FIG. 4 illustrates the basic methodology of how TXT utilizes a user-defined value stored to a non-volatile RAM (NVRAM) index in the TPM installed in a TXT enabled computer (see FIG. 1 ).
  • a provisioning tool 41 writes the value to NVRAM, which is later encoded into Platform Configuration Register (PCR) 22 of the TPM using the TMP_EXTEND function 42 during the trusted boot process.
  • PCR Platform Configuration Register
  • a Remote Attestation Mechanism is used to securely expose the PCR 22 value to outside entities.
  • the prior art only illustrates how a user may assign a homogeneous value, referred to as “geolocation” in the prior art, across a group of servers during the provisioning process.
  • a unique, device-specific Trust ID value is encoded by combining user-defined values and hardware-specific values associated with the user's computer system (see FIG. 12 ).
  • the value in PCR 22 is provided via a Remote Attestation Mechanism to an external Attestation Service.
  • FIG. 5 illustrates a sample Geotag use case representing the current usage of PCR 22.
  • the provisioning tool 51 writes a geotag hash value to NVRAM.
  • the geotag hash value is extended into PCR 22 and in step 53 is provided to outside entities via a Remote Attestation Mechanism to securely expose the results of the EXTENDED geotag hash value in PCR 22.
  • an ISV Product obtains the PCR 22 value via a Remote Attestation Mechanism, and in step 55 performs a look-up of the PCR 22 geotag hash value and finds it on a Geotag Lookup Table.
  • the values on the Geotag Lookup Table are searched for corresponding values in the Geotag Database.
  • the Geotag Database provides a user-readable/presentable string/description to the ISV Product.
  • the ISV Product can then take a predetermined action 58 based on a matched or mismatched Geotag value.
  • FIG. 6 illustrates a Trust Control Suite (TCS) in a preferred embodiment of the present invention that combines the functions Attestation, Geotaging and Launch Control Policy in the Trust ID that is the subject of this invention. It further introduces the ability to use the same unique identifier for policy and compliance management, all based on values stored in the subject device's hardware.
  • TCS has the following five basic operations. In step 61 , it generates and stores a unique Trust ID value on each device of the trusted computing pool (see FIG. 10 ). In step 62 , the TCS obtains the Trust ID values associated with the devices. In step 63 , if requested by an optional Attestation Service (AS), a Hypervisor reports the Trust-ID measurements to the AS, which communicates them to the TCS in step 64 .
  • AS Attestation Service
  • the TCS performs the following: (a) monitors integrity and identity of devices using information obtained from the devices, including Trust Measurements, Trust IDs and other hardware specific values; (b) generates TCS Alerts on changes in integrity and identity of devices and communicates them to TCS Subscribers, which may include one or more of Trust-Aware Proxy, Trust-Aware App, TCS GUI, GRC, SEIM, and Policy Management; (c) generates TCS Events and communicates them to TCS Subscribers; and (d) orchestrates coordinated responses by TCS Subscribers, which can take action based on TCS Alerts and Events.
  • FIG. 7 illustrates the preferred TCS modular architecture.
  • the modular architecture includes a loosely coupled set of TCS Connectors that communicate with specific devices (either hardware or software) in a user's information infrastructure via industry standard protocols, including REST connection 71 , ASYNC connection 72 , and AMQP connection 73 from an associated database or library to a message bus.
  • a TCS Connector transmits through TCS connection 74 to an interface of a respective computing infrastructure Item 1, 2, etc., TCS Alerts and Events from the TCS to the subscribing device (TCS Subscriber) in a manner that is intelligible to the specific TCS Subscriber.
  • TCS Subscriber subscribing device
  • a TCS Connector may also transmit alerts and events from a TCS Subscriber to the TCS Control Module so that these may be processed into TCS Alerts and Events for other TCS Subscribers.
  • FIG. 8 illustrates a preferred embodiment of the creation and validation process of a unique Trust ID that is the subject of this invention.
  • a fundamental feature of the invention method described herein is the use of the Trust ID as a trust measurement that complements the SCoT and DCoT Measurements.
  • a Trust ID Configuration Tool (TConfig) of the TCS generates in step 81 a unique Trust ID for each device using a combination of hardware-specific values obtained from the subject device and user-specific values stored in a device database (Seed Values).
  • the TConfig uses an algorithm that: (i) performs a HASH function against the Seed Values to create cryptographic Hash values; (ii) arranges the resulting Hash values in a specific sequence (saving the specific sequence order for future retrieval by TConfig); and (iii) performs an Extend operation against each Hash value in the specific Sequence.
  • the final Extended Value can now be stored on the device as the unique Trust ID, preferably in a cryptographically protected space such as an index in NVRAM on the hardware TPM. Depending on the implementation, the Trust ID could be further extended from NVRAM into a PCR on the TPM.
  • step 82 the TCS in response to an attestation request through the Remote Attestation Mechanism recalculates and verifies the Trust-ID value as compared to the stored value, and in step 83 orchestrates alerts and events as appropriate (see FIG. 7 ).
  • FIG. 9 illustrates sample Seed Values used to encode a Trust ID.
  • a User chooses the categories of Device-specific Seed Values 91 , Contextual Values 92 , User-specific Seed Values 93 , and Policy Values 94 and Configuration Values 95 that TConfig will use to generate the Trust ID 96
  • FIG. 10 illustrates a sample algorithm for generating a Trust ID value.
  • the preferred algorithm generates a corresponding hash for each Seed Value in step 101 , determines a sequencing of the hash values in step 102 , performs an “Extend” operation encoding the hash values in step 103 , and the resulting value in step 104 is the Trust ID value ultimately to be written to the desired location, for example TPM.
  • FIG. 11 illustrates a sample Trust ID creation and provisioning process.
  • the system boots using a local Provisioning Tool to measure the SCoT and DCoT values in step 111 , obtains local Seed Values from the device in step 112 .
  • the list that the local Provisioning Tool provides includes, inter alia, the actual Device-specific Seed Values for such types of Seed Values initially chosen by the User.
  • the Provisioning Tool sends all these results to the TConfig, in this case configured as a module of TCS, and requests a Trust ID in step 113 .
  • the TCS via TConfig remotely creates the unique, device-specific Trust ID and sends it in step 114 to the requesting Provisioning Tool, which stores the Trust ID value in NVRAM in step 115 .
  • TConfig obtains the previously stored Seed Value Configuration from the Database, determines a Sequence, calculates the unique hardware- and user-specific Trust ID, returns the Trust ID to the local Provisioning Tool, and associates the Sequence to the Seed Values Configuration in the Database.
  • the Provision Tool Upon receiving the Trust ID, the Provision Tool stores the Trust ID on the subject device as part of the standard process for provisioning such a device for use.
  • FIG. 12 illustrates a sample of the data flow for creating a Trust ID from Seed Values.
  • the system boots using a local Provisioning Tool and obtains and transmits a full list of device values in step 121 , which are not previously known to the User or TConfig.
  • TConfig obtains the pre-existing User configuration of required seed values in step 122 , which is not previously known to Provisioning Tool or TConfig.
  • TConfig assembles the list of required seed values in step 123 , chooses a sequence for encoding them in step 124 (not known to the User or Provisioning Tool), calculates the Trust ID in step 125 and delivers the Trust ID to the Provisioning Tool.
  • TConfig associates the chosen sequence with the User configuration, but stores it separately in a TConfig Database (DB) in step 126 .
  • DB TConfig Database
  • FIG. 13 illustrates a sample how to recalculate and verify a Trust ID.
  • TCS obtains SCoT and DCoT Measurements, Trust ID, and local Seed Values from the specific device in step 131 in response to a request, a random event or predetermined schedule as part of the normal process described with respect to FIG. 6 , and the Remote Attestation Mechanism reports the TCoT values to the TCS, including Trust ID, Seed Values (see FIG. 8 ).
  • TConfig recalculates the Trust ID using the currently reported hardware-specific Seed Values, together with the user-specific values and the Sequence stored in the Database
  • the OS or Hypervisor reports other local Seed Values to the TCS in step 132 .
  • the TCS DB provides User defined formula and remote Seed Values in step 133 .
  • TCS calculates fresh Trust ID based on the User defined formula for the reporting device, using Extend Function if necessary, and compares Expected Trust ID with the Reported Trust ID from the reporting device (see FIG. 14 ).
  • step 135 based on whether or not there is a match, TCS Alerts Subscribers to the results according to the chosen policies.
  • step 136 TCS logs the results for audit reporting.
  • FIG. 14 illustrates a sample of verifying a Trust ID from Seed Values.
  • TCS for the platform System via the Remote Attestation Mechanism and OS/Hypervisor obtains in step 141 SCoT and DCoT Measurements, Trust ID, and local Seed Values from the specific device, which are not previously known to the User or TConfig.
  • TConfig obtains in step 142 the pre-existing User configuration of required seed values, which are not previously known to the OS/hypervisor or TConfig.
  • TConfig assembles a list of required seed values in step 143 , retrieves in step 144 the encoding sequence from its database (not known to the User or the OS/hypervisor), calculates in step 145 the Trust ID, and compares it in step 146 to the stored Trust ID retrieved from the device. TConfig creates in step 147 an appropriate message with the result, and saves the result in its database in step 148 .
  • the resulting Trust ID matches the reported Trust ID, then implicitly all of the original device-specific Seed Values from the device and the User-specific Seed Values from the Database must match, and, furthermore, the Trust ID was created using the Sequence stored in the Database. If the resulting Trust ID does not match the reported Trust ID, then at least one Seed Value has changed or an incorrect Trust ID has been provisioned on the subject device, either of which implicitly breach the trust of the subject device.
  • FIG. 15 illustrates a sample of using a Trust ID for hardware-based Attestation.
  • the TCS generates and stores the Trust ID value and includes the required whitelist values as Seed Values (see FIG. 12 ).
  • it recalculates and verifies the Trust ID based on User-defined encoding formula.
  • it determines if the expected Trust ID matches the reported Trust ID, then that means that the whitelist values must be present on the remote device.
  • it orchestrates alerts and/or policy events based on the result.
  • Advantages of embedding the whitelist value in the Trust ID include: if the Trust ID recalculates, then Attestation is automatic; the expected whitelist value is stored BEFORE the OS/hypervisor takes control of the TPM; Attestation occurs independent of any external software-only AS; whitelist changes (updated, corrupted or altered) do not impact attestation of the individual device; in the case of a Trust ID mismatch, the Trust ID provides additional evidence as to the source, nature and timeline of the cause; and it is not limited to servers or TXT implementations.
  • FIG. 16 illustrates a sample of using a Trust ID with Geotagging.
  • the geotag value for the trusted computing pool is used to generate and store the Trust ID.
  • TCS recalculates and verifies the Trust ID based on the User-defined chosen formula (see FIG. 13 ).
  • the Trust ID can be decoded to reveal the common geotag value.
  • the TCS orchestrates alerts and policy events based on the result.
  • the unique, device-specific Trust ID value reduces the chance of spoofing; in converged infrastructure deployments, each individual blade server has an unique Trust ID; it is not limited to servers or TXT implementations; in the case of a Trust ID mismatch, the Trust ID provides additional evidence as to the source, nature and timeline of the cause; it can be combined with other Seed Values; and it is not limited to servers or TXT implementations
  • FIG. 17 summarizes the overall architecture of the Trust Control Suite as used for security in virtualized environments in cloud computing.
  • the Trust Control Suite administered by TCS Admin acts as an intermediary in cloud computing between the computing infrastructure platforms of subscribing Customers 1, 2, 3, etc. and their respective shared-workload applications C1, C2, C3, etc. that are delivered.
  • the Trust Control Suite has a Management Module and Customer Instances that includes a TMQ interface VH1, VH2, VH3, etc. for each Customer platform.
  • a Trust ID can include other Trust IDs as Seed Values, and can serve as multiple Attestation points.
  • the Trust ID can be used in systems to provide additional evidence as to the source, nature and timeline of the cause of a breach of trust.

Abstract

A trust control management method for security, operable on a computer system generates a unique Trust ID value by combining user-defined values with hardware-specific values associated with the user's computer system and storing the Trust ID value in a memory register physically associated with the hardware of the computer system. A Trust Control Suite (TCS) operable with a server OS/hypervisor maintains a database of user-defined values and hardware-specific values for computer systems clustered in a trusted computing pool. An attestation procedure is performed by the trust control server combining the user-defined values with the hardware-specific values from its database and comparing it to the user-stored Trust ID value stored in the memory register associated with a user's computer system. Depending on whether it is a match or mismatch, the TCS can determine if it is a trusted computer or not, and can take appropriate alerts and policy actions.

Description

  • This U.S. patent application is a continuation and claims the priority filing benefit of U.S. patent application Ser. No. 14/142,394 filed on Dec. 27, 2013, of the same inventors.
    • BACKGROUND OF INVENTION
  • Shared cloud computing technologies are designed to be very agile and flexible, transparently using available resources to process workloads for their customers. However, there are security and privacy concerns with not knowing the integrity, identity and location of the physical devices that make up a cloud platform, and allowing unrestricted workload migration among the servers that comprise an unverified cloud platform and across such unverified cloud platforms. Whenever multiple workloads are present on a multi-server cloud platform, there is a need to segregate those workloads from each other so that they do not interfere with each other, gain access to each other's sensitive data, or otherwise compromise the security or privacy of the workloads. Imagine two rival companies with workloads on the same cloud platform; each company would want to ensure that the servers housing their workloads are trusted to protect their information from the other company as well as any other unauthorized access.
  • Another concern with shared cloud computing is that workloads could move from servers in a cloud platform located in one country to servers in a cloud platform located in another country. Each country has its own laws for data security, privacy, and other aspects of information technology (IT). Because the requirements of these laws may conflict with an organization's policies or mandates (e.g., laws, regulations), an organization may decide that it needs to restrict which cloud platform it uses based on its specific location. A common desire is to only use cloud platform with servers physically located within the same country as the organization.
  • Forming trusted computing pools is a leading approach to aggregate trusted systems and segregate them from untrusted resources. This allows for the separation of higher-value, more sensitive workloads from commodity applications and data. The principles of operation are to: (1) Create a cloud platform to meet the specific and varying security requirements of users; (2) Control access to that cloud platform so that only the right applications get deployed there; and (3) Enable audits of the cloud platform so that users can verify compliance.
  • Such trusted computing pools allow IT to gain the benefits of the dynamic cloud environment while still enforcing higher levels of protections for their more critical workloads. The ultimate goal is to be able to use trusted verification and identification methodologies for deploying and migrating cloud workloads between and among trusted servers within a cloud platform. Current thinking has identified certain prerequisite steps, which can be thought of as staged requirements that a trusted cloud platform solution must meet:
  • Platform Attestation and Safe Hypervisor Launch:
  • This stage attempts to ensure that the cloud workloads are run on trusted servers within the cloud platform. The cloud platform includes servers each with a hardware configuration (e.g., BIOS settings) and a hypervisor configuration. The hypervisor operates directly on the hardware, not on top of another operating system, thus it is imperative to show that the hypervisor has not been compromised and that it is the designated version and configuration. Before the server is used for workloads, its trustworthiness must be verified (measured). The items configured in the BIOS and hypervisor need to have their configurations verified before launching the hypervisor to ensure that the assumed level of trust is in place.
  • Trust-Based Homogeneous Secure Migration:
  • Once the integrity of the cloud platform is established, the next stage requires that cloud workloads are able to be migrated among homogeneous trusted server platforms within a cloud environment.
  • Trust-Based and Geolocation-Based Homogeneous Secure Migration:
  • This stage allows cloud workloads to be migrated among homogeneous trusted server platforms within a cloud environment, taking into consideration geolocation restrictions.
  • Achieving all three levels of control will not prevent attacks from succeeding, but unauthorized changes to the hypervisor or BIOS can be detected and launch of enforcement actions can be taken. These controls also facilitate compliance with security and governance policies, thus limiting damage to the information being processed or accessed within the cloud computing server.
  • However, the current approach to forming trusted computing pools by ensuring safe hypervisor launches and monitoring attestation of cloud server platforms has the deficiency that the conventional hypervisor management tools are software-based and run from a platform server virtually connected to remote client computers.
  • An example of a trust management technology for forming trusted computing pools is provided by Intel® Trusted Execution Technology (“TXT”). TXT implements a foundation for establishing a Transitive Chain of Trust (TCoT) that is rooted in hardware. Each module within the chain has an opportunity to examine and measure the next module, prior to that module's execution. The resulting Integrity Measurements (IM) are stored in shielded locations within a Trusted Platform Module (TPM). By using a secure communication method via the process of Remote Attestation, a third party can later request the IMs as evidence and proof that the BIOS and Operating System meet standards and thus are trusted.
  • In addition, TXT provides a method for introducing a user-defined value into the chain of evidence by storing that value in a specific secured NVRAM index with the TPM. The current art is to write the identical user-defined value into the TPM NVRAM index of a group of servers to designate a logical grouping or pool. Common terms for this method are “Geotag”, “Geolocation” and “Geofence” because historically the first user-defined values used in demonstrating this capability were geographic in nature. In a current implementation of this process, a country code or Geotag is encrypted using a SHA1 function and the resulting Geotag value is stored in the TPM NVRAM index, e.g. SHA1 (“USA”). During the boot process, the Trusted Boot (TBOOT) module that initializes the BIOS uses a “TPM EXTEND” function to Extend the TPM NVRAM index Geotag value into Platform Configuration Register (PCR) 22. To validate the Geotag, the value in PCR22 is compared with an externally maintained lookup table.
  • However, the value placed into the TPM NVRAM index could be any arbitrary value because the lookup table only validates against the resulting PCR22 value. The validation confirms that PCR22=LookupHash(GeoTag) but does not validate that Extend(PCR22, SHA1(Geotag))==LookupHash(Geotag). The PCR Extend operation is not part of the validation.
  • There are drawbacks with deploying a homogeneous Geotag value across a number of server platforms within a Geofence. First, the fact that the value can be read by a virtual request to scan the value written in PCR 22 raises the concern that it could be spoofed. In addition, a bad actor could introduce a rogue machine into the Geofence that displays the “expected” PCR 22 Geotag value. A less nefarious but nonetheless important issue is the inability of the common Geotag to tie specific virtual machines to unique physical platform hosts from an evidentiary and forensics perspective. What is needed is a more robust and foolproof way of ensuring that Geotag of a trusted virtual machine cannot be spoofed.
  • Finally, TXT includes an additional mechanism termed “Launch Control Policy” (LCP), which allows the Platform Supplier (the manufacturer) and the Platform Owner (customer) each to specify requirements for a Secure Operating System Launch. The LCP policies contain specifications of valid Platform Configurations (PCONF policy), Operating System Versions (Measured Launch Environment, or MLE policy) and Authenticated Code Module (ACM) versions (SINIT policy). The LCP values are protected using features of the TPM and are compared against measured PCR and ACM values to determine Platform and Operating System trust. LCP provides a “go/no-go” mechanism for Secure Operating System Launch as well as providing enhanced protection against reset attacks and the ability to restrict access to specific TPM keys, data and resources.
  • Creating a Launch Control Policy can be a complex process and challenging to maintain. Given that the LCP process is a binary “go/no go” function, it can also be difficult to determine the root cause of LCP failures because the resulting inability to achieve Secure OS Launch is always the same. Moreover, depending on implementation, not all parts of LCP are included as part of the TCoT measurements, therefore it is possible for LCP to change and not impact the TCoT measurements.
    • SUMMARY OF INVENTION
  • In accordance with the present invention, a trust control management method for security in cloud computing, operable on a computer system, comprises:
  • generating a unique encoded alphanumeric value (Trust ID value) by combining a set of alphanumeric values defined by a user of the computer system with a set of other alphanumeric values associated with specific physical hardware embodied with the user's computer system using an encoding algorithm;
  • storing the Trust ID value associated with the hardware of the user's computer system;
  • maintaining in a database the user-defined values associated with the user's computer system together with a list of the types of physical hardware-specific values associated with the user's computer system that are to be retrieved the user's computer system and combined with the user-defined values, and the encoding algorithm; and
  • performing an attestation procedure via a trust control application by combining the user-defined values retrieved from the database with the selected physical hardware-specific values retrieved from the user's computer system using the same trust encoding algorithm retrieved from the database that was used to encode the original Trust ID value stored in the hardware of the user's computer system;
  • comparing the Trust ID value obtained in the attestation procedure with the original Trust ID value stored in the hardware of the user's computer system, and upon a match, determining that the user's computer system is a trusted computer system, or failure to match, determining that the user's computer system is not a trusted computer system, then taking an appropriate security action by the trust control application.
  • The method of generating and comparing the newly encoded Trust ID value with the original user-stored Trust ID value provides more robust and foolproof verification of the trust status of the user's computer system by encoding both user-defined values and hardware-specific values and storing the originally encoded Trust ID value in the hardware of the user's computer system.
  • The user-defined data may include a value associated with the geographical location where the user's computer system is to be deployed in order to define its grouping with the trusted computing pool associated with that geolocation.
  • The hardware-specific values may include values associated with a given version of firmware, BIOS, ROM, or other embedded code (collectively “firmware”) present on the hardware.
  • The creation of the Trust ID value may be carried out without the knowledge of the person storing the Trust ID value on the user's computer hardware as a precaution against security penetration and spoofing.
  • Other objects, features, and advantages of the present invention will be explained in the following detailed description with reference to the appended drawings.
    • BRIEF DESCRIPTION OF DRAWINGS
  • FIG. 1 illustrates a basic process for a TXT launch of a computer system.
  • FIG. 2 illustrates an example of attestation of a trusted launch of a computer platform grouped in a trusted computing pool.
  • FIG. 3 illustrates a current model for attestation and whitelist management following the Attestation Service (AS) architecture.
  • FIG. 4 illustrates a provisioning tool for extending a user defined value to a server TPM chip.
  • FIG. 5 illustrates a sample geotag use case.
  • FIG. 6 illustrates a Trust Control Suite (TCS) that combines the functions of attestation and geotagging in a preferred embodiment of the present invention.
  • FIG. 7 illustrates the preferred TCS modular architecture.
  • FIG. 8 illustrates the Trust ID creation and validation process.
  • FIG. 9 illustrates sample Seed Values used to encode a Trust ID.
  • FIG. 10 illustrates a sample algorithm for generating a Trust ID value.
  • FIG. 11 illustrates sample Trust ID creation and provisioning process.
  • FIG. 12 illustrates a sample of creating a Trust ID from Seed Values.
  • FIG. 13 illustrates a sample of verifying a Trust ID.
  • FIG. 14 illustrates a sample of verifying a Trust ID from Seed Values.
  • FIG. 15 illustrates a sample of using a Trust ID for hardware-based attestation.
  • FIG. 16 illustrates a sample of using a Trust ID for geotagging.
  • FIG. 17 summarizes the overall architecture of the Trust Control Suite as used for security in virtualized environments.
    •  DETAILED DESCRIPTION OF INVENTION
  • In the following detailed description, certain preferred embodiments are described as illustrations of the invention in specific resource applications, communication networks, and/or computer-implemented services or application environments in order to provide a thorough understanding of the present invention. Common methods, procedures, components, or functions for such applications, networks, and/or services or environments which are commonly known to persons of ordinary skill in the field of the invention are not described in detail so as not to unnecessarily obscure a concise description of the present invention. Certain specific embodiments or examples are given for purposes of illustration only, and it will be recognized by one skilled in the art that the present invention may be practiced in other analogous applications or environments and/or with other analogous or equivalent variations of the illustrative embodiments.
  • The computer-implemented services or application environments in the detailed description which follows may be presented in terms of certain procedures, steps, logic blocks, processing, and other symbolic representations of functional operations implemented on a computer device by a computer program operable on data bits stored within a computer memory. These descriptions and representations are intended to be understood by those skilled in the data processing arts. A program procedure, computer-executed step, logic block, process, etc., is described as a self-consistent sequence of steps or instructions leading to a desired end result, such as providing a tangible computer output, such as an alarm, status indicator, or data display, or implemented by computer to result in physical manipulations of physical quantities or materials. Usually, though not necessarily, such tangible computer-implemented output may take the form of electrical outputs or signals capable of being displayed, stored, transferred, combined, compared, and otherwise manipulated in a computer system.
  • It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise as apparent from the following descriptions, terms such as “processing” or “computing” or “translating” or “calculating” or “determining” or “displaying” or “recognizing” or the like, refer to the action and processes of a computer system, or analogous electronic computing device, that manipulates and transforms data represented as physical (electronic) quantities within the computer system's registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage, transmission or display devices.
  • A computer or computing resource commonly includes one or more input devices electronically coupled to a processor for executing one or more computer programs for producing an intended computing output. The computer is typically connected as a computing resource and/or communications device on a network with other computer systems. The networked computer systems may be of different types, such as remote PCs, master servers, network servers, and mobile client devices connected via a wired, wireless, or mobile communications network.
  • The term “Internet” refers to a structure of global networks connecting a universe of users via common or industry-standard protocols. Users having a connection to the Internet commonly use browsers on their computers or client devices to connect to websites maintained on web servers that provide informational content or business processes to users. The Internet can also be connected to other networks using different data handling protocols through a gateway or system interface, such as wireless gateways to connect Internet websites to wireless data networks. Wireless data networks are deployed worldwide and allow users anywhere to connect to the Internet via wireless data devices.
  • The following definitions are used for certain specific terms applied in this description:
  • “Attestation”: The process of vouching for the accuracy of information. External entities can attest to shielded locations, protected capabilities, and Roots of Trust. A platform can attest to its description of platform characteristics that affect the integrity (trustworthiness) of a platform. Both forms of attestation require reliable evidence of the attesting entity.
  • “Authenticated Code Module” (ACM): a digitally signed module validated by the processor before execution.
  • “Attestation Service” (AS): a service procedure for attestation of a trusted launch of a computer platform grouped in a trusted computing pool.
  • “Basic Input/Output System” (BIOS): a set of computer instructions in firmware that control input and output operations.
  • “Core Root of Trust for Measurement” (CRTM): The instructions executed by the platform when it acts as the RTM
  • “Dynamic Chain of Trust” (DCoT): A set of Transitive Trust Integrity Measurements that starts on request by the operating system via a special processor instruction.
  • “GRC”: Governance, risk management, and compliance or GRC is the umbrella term covering an organization's approach across the areas of Governance, risk management, and compliance.
  • “Integrity Measurement” (IM): Values that are the results of measurements on the integrity of the platform. Also referred to as “Trust Measurement”
  • “ISV”: An independent software vendor company specializing in making or selling software, designed for mass or niche markets.
  • “ISV Product”: A product from an independent software vendor.
  • “OS”: An operating system (OS) is a collection of software that manages a computer's hardware resources and provides common services for computer programs.
  • Hypervisor”: A hypervisor or virtual machine monitor (VMM) is a piece of computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor is running one or more virtual machines is defined as a host machine. Each virtual machine is called a guest machine. The hypervisor presents the guest OS with a virtual operating platform and manages the execution of the guest operating systems. Multiple instances of a variety of OSs may share the virtualized hardware resources.
  • “Platform Configuration Register” (PCR): A shielded location within a TPM containing a digest of integrity digests.
  • “Policy Management”: The process of enforcing the rules and regulations (policies) of an organization that pertain to information and computing.
  • “Remote Attestation” means for one system to make reliable statements about the software it is running to another system.
  • “Root of Trust” (RoT): In a TXT environment, the component (microprocessor) which serves as the trusted component that begins the measurements necessary to establish a chain of trust.
  • “Root of Trust for Measurement” (RTM): A computing engine capable of making inherently reliable integrity measurements. Typically the normal platform computing engine, controlled by the CRTM. This is the root of the chain of transitive trust.
  • “SIEM”: Security Information and Event Management (SIEM) is a term for software and products services combining security information management (SIM) and security event manager (SEM). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications.
  • “Static Chain of Trust” (SCoT): A set of Transitive Trust Integrity Measurements that start when the platform powers on.
  • “Transitive Chain of Trust” (TCoT): The full set of Integrity Measurements, including the Static Chain of Trust and Dynamic Chain of Trust.
  • “Transitive Trust”: Also known as “Inductive Trust”, in this process the Root of Trust gives a trustworthy description of a second group of functions. Based on this description, an interested entity can determine the trust it is to place in this second group of functions. If the interested entity determines that the trust level of the second group of functions is acceptable, the trust boundary is extended from the Root of Trust to include the second group of functions. In this case, the process can be iterated. The second group of functions can give a trustworthy description of the third group of functions, etc. Transitive trust is used to provide a trustworthy description of platform characteristics, and also to prove that non-migratable keys are non-migratable.
  • “Trust Aware Proxy”: A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients devices seeking resources from other servers. A Trust Aware Proxy is a proxy server that is aware of the integrity and identity of the computer systems to which the Trust Aware Server is connecting.
  • “Trust Aware App”: A software application that is aware of the integrity and identity of the computer system that is running the specific application.
  • “Trust Control Suite” (TCS): a suite of trust control management tools to establish a measured, trusted environment within a trusted computing pool, and to carry out policies to protect the security of the trusted computing pool.
  • “Trusted Execution Technology” (TXT): is the name of a computer hardware technology whose primary goals are (a) Attestation—attest to the authenticity of a platform and its operating system (OS); (b) assure that an authentic OS starts in a trusted environment and thus can be considered a trusted OS; (c) provide the trusted OS with additional security capabilities not available to an unproven OS.
  • “Trusted Platform Module” (TPM): A hardware device implementing the functions defined in the TCG Trusted Platform Module Specification
  • “User”: an individual user, business entity, public sector agency, and/or service provider to such entity or agency using a specific computer system.
  • In a preferred embodiment in accordance with the present invention, the trust control management system and method provides a processor-based, tamper-resistant environment that compares user-defined values and hardware-specific values, such as firmware, BIOS, and/or operating system values, to compute a Trust ID value and compare it to a previously computed and stored (“known good”) Trust ID value to establish a that a computer system is operating in a measured, trusted state within a trusted computing pool. If integrity and trust are not verified, the trust control management suite identifies that the system is not behaving as expected, and follows the proper embedded policy or policies to protect the computer system and/or the trusted computing pool to remediate the problem.
  • FIG. 1 illustrates a basic process for a TXT launch of a computer system. At platform power-on, processor microcode 11 starts a chain of measurements 12 and security checks, which include the BIOS, BIOS Authenticated Code Module (“ACM”), Option ROMs, Master Boot Record and OS Loader. This chain of measurements 12 is referred to as the Static Chain of Trust (SCoT). Following Trusted Computing Group (TCG) specifications, the SCoT measurements are stored within the Trusted Platform Module (TPM). The Dynamic Chain of Trust (DCoT) then begins with a special processor instruction that looks at the OS/Hypervisor 13 and starts a chain measurements 14 and security checks of the SINIT ACM and key operating system (OS) components. The LCP Engine is invoked by the SINIT ACM to validate the operating system components against any policy defined by the Platform Supplier or the Platform Owner. The DCoT measurements are stored within the Trusted Platform Module (TPM). A Remote Attestation Mechanism is used to securely expose the measurements 15 of the full Transitive Chain of Trust (TCoT) that are stored in the TPM to outside entities.
  • Because the TXT launch can evaluate and report on platform integrity using attestation mechanisms, it can provide valuable insights and controls when used in the context of cloud computing platforms. This allows other key software—hypervisor, cloud orchestration and management, and security policy applications—to understand and use platform integrity attributes to control workloads and data and better address security risks by keeping sensitive or regulated workloads separate from platforms with unknown integrity status.
  • In order to have attestation of a trusted launch of a computer platform grouped in a trusted computing pool, two key questions that an inquiring entity should have answered are:
  • 1. How would the entity needing this attestation information know if a specific computer platform has performed a secure launch?
  • 2. Why should the entity requesting the attestation information believe the response from the attested computer platform?
  • FIG. 2 illustrates an example of attestation of a trusted launch of TXT-enabled platforms and possible non-TXT-enabled platforms grouped in a trusted computing pool. An ISV Product needing to know whether it is addressing a trusted computing pool sends a Platform Trust Status request 21 to an Attestation Service (AS), which accesses a Remote Attestation Mechanism (in FIG. 1) for computers grouped in the trusted computing pool. The AS sends a request 22 for Integrity Measurements (IM) to the computer platforms. Each platform must send a reply 23 with its IM values. The AS validates the IM against a Whitelist Database (DB) 24 of known-good values, and provides the definitive answers 25 to the above two key security questions to the ISV Product server. The AS will require Roots of Trust implementation of a hardware-based trust-enabled OS or Hypervisor. Each polled platform has to have a Root of Trust Measurement (RTM) that is implicitly trusted to provide an accurate measurement, which TXT provides. The platform also has to have a Root of Trust for Reporting (RTR) and a Root of Trust for Storage (RTS), which the Trusted Platform Module (TPM) provides.
  • Attestation is the process of providing a digital signature of a set of platform configuration registers (PCRs)—a set of registers in a TPM that are extended with specific measurements for various launch modules of the software—and having the requestor validate the signature and the PCR contents. The entity wishing to validate the values in the TPM requests these using the TPM_Quote command. This command specifies an Attestation Identity Key to perform a digital signature of the quote, and a NONCE to ensure freshness of the digital signature. The entity that challenged this information from the TPM can now make a determination about the trust of the platform by comparing the measurements contained in the TPM quote with “known good” or “golden” measurements.
  • FIG. 3 illustrates a current model for attestation and whitelist management following a suggested Attestation Service (AS) architecture. The Whitelist Setup Process proceeds as follows: establish baseline reference values; create a Whitelist; import the Whitelist into the AS; the AS stores whitelist values in a database. For an attestation request, an ISV Product software sends a request 31 for the platform trust status from the Attestation Service (AS). In step 32, the AS requests the Integrity Measurements (IM) from each computer platform via Remote Attestation, and the platform responds with the integrity measurements. In step 33, the AS validates the integrity measurements against its Whitelist of known-good values. In step 34, the AS attests to the trustworthiness of the platforms in the trusted computing pool to the ISV Product server.
  • The disadvantages of the software-only Whitelist are that the whitelist values are ONLY recorded in software and are potentially subject to invalid updates, corruption or alteration; it employs multiple Attestation Service components; the OS/Hypervisor or Hypervisor Manager are intermediaries between the TPM and the AS; and successful attestation may not match actual intended values for a specific device. Managing the “known good” values for different hypervisors, operating systems, and BIOS software versions, and ensuring they are protected from tampering and spoofing, is a critical IT operations challenge. This capability can be internal to a company, managed by a service provider, or delivered remotely as a service by a trusted third party.
  • FIG. 4 illustrates the basic methodology of how TXT utilizes a user-defined value stored to a non-volatile RAM (NVRAM) index in the TPM installed in a TXT enabled computer (see FIG. 1). A provisioning tool 41 writes the value to NVRAM, which is later encoded into Platform Configuration Register (PCR) 22 of the TPM using the TMP_EXTEND function 42 during the trusted boot process. A Remote Attestation Mechanism is used to securely expose the PCR 22 value to outside entities. The prior art only illustrates how a user may assign a homogeneous value, referred to as “geolocation” in the prior art, across a group of servers during the provisioning process. In the present invention, a unique, device-specific Trust ID value is encoded by combining user-defined values and hardware-specific values associated with the user's computer system (see FIG. 12). In step 43, the value in PCR 22 is provided via a Remote Attestation Mechanism to an external Attestation Service.
  • FIG. 5 illustrates a sample Geotag use case representing the current usage of PCR 22. The provisioning tool 51 writes a geotag hash value to NVRAM. During the trusted boot process 52, the geotag hash value is extended into PCR 22 and in step 53 is provided to outside entities via a Remote Attestation Mechanism to securely expose the results of the EXTENDED geotag hash value in PCR 22. In step 54, an ISV Product obtains the PCR 22 value via a Remote Attestation Mechanism, and in step 55 performs a look-up of the PCR 22 geotag hash value and finds it on a Geotag Lookup Table. In step 56, the values on the Geotag Lookup Table are searched for corresponding values in the Geotag Database. In step 57, the Geotag Database provides a user-readable/presentable string/description to the ISV Product. The ISV Product can then take a predetermined action 58 based on a matched or mismatched Geotag value.
  • FIG. 6 illustrates a Trust Control Suite (TCS) in a preferred embodiment of the present invention that combines the functions Attestation, Geotaging and Launch Control Policy in the Trust ID that is the subject of this invention. It further introduces the ability to use the same unique identifier for policy and compliance management, all based on values stored in the subject device's hardware. TCS has the following five basic operations. In step 61, it generates and stores a unique Trust ID value on each device of the trusted computing pool (see FIG. 10). In step 62, the TCS obtains the Trust ID values associated with the devices. In step 63, if requested by an optional Attestation Service (AS), a Hypervisor reports the Trust-ID measurements to the AS, which communicates them to the TCS in step 64. In step 65, the TCS performs the following: (a) monitors integrity and identity of devices using information obtained from the devices, including Trust Measurements, Trust IDs and other hardware specific values; (b) generates TCS Alerts on changes in integrity and identity of devices and communicates them to TCS Subscribers, which may include one or more of Trust-Aware Proxy, Trust-Aware App, TCS GUI, GRC, SEIM, and Policy Management; (c) generates TCS Events and communicates them to TCS Subscribers; and (d) orchestrates coordinated responses by TCS Subscribers, which can take action based on TCS Alerts and Events.
  • FIG. 7 illustrates the preferred TCS modular architecture. The modular architecture includes a loosely coupled set of TCS Connectors that communicate with specific devices (either hardware or software) in a user's information infrastructure via industry standard protocols, including REST connection 71, ASYNC connection 72, and AMQP connection 73 from an associated database or library to a message bus. A TCS Connector transmits through TCS connection 74 to an interface of a respective computing infrastructure Item 1, 2, etc., TCS Alerts and Events from the TCS to the subscribing device (TCS Subscriber) in a manner that is intelligible to the specific TCS Subscriber. A TCS Connector may also transmit alerts and events from a TCS Subscriber to the TCS Control Module so that these may be processed into TCS Alerts and Events for other TCS Subscribers.
  • FIG. 8 illustrates a preferred embodiment of the creation and validation process of a unique Trust ID that is the subject of this invention. A fundamental feature of the invention method described herein is the use of the Trust ID as a trust measurement that complements the SCoT and DCoT Measurements. In the preferred embodiment, a Trust ID Configuration Tool (TConfig) of the TCS generates in step 81 a unique Trust ID for each device using a combination of hardware-specific values obtained from the subject device and user-specific values stored in a device database (Seed Values). The TConfig uses an algorithm that: (i) performs a HASH function against the Seed Values to create cryptographic Hash values; (ii) arranges the resulting Hash values in a specific sequence (saving the specific sequence order for future retrieval by TConfig); and (iii) performs an Extend operation against each Hash value in the specific Sequence. The final Extended Value can now be stored on the device as the unique Trust ID, preferably in a cryptographically protected space such as an index in NVRAM on the hardware TPM. Depending on the implementation, the Trust ID could be further extended from NVRAM into a PCR on the TPM. In step 82, the TCS in response to an attestation request through the Remote Attestation Mechanism recalculates and verifies the Trust-ID value as compared to the stored value, and in step 83 orchestrates alerts and events as appropriate (see FIG. 7).
  • FIG. 9 illustrates sample Seed Values used to encode a Trust ID. In the preferred implementation, as part of setting up TConfig, a User chooses the categories of Device-specific Seed Values 91, Contextual Values 92, User-specific Seed Values 93, and Policy Values 94 and Configuration Values 95 that TConfig will use to generate the Trust ID 96
  • FIG. 10 illustrates a sample algorithm for generating a Trust ID value. The preferred algorithm generates a corresponding hash for each Seed Value in step 101, determines a sequencing of the hash values in step 102, performs an “Extend” operation encoding the hash values in step 103, and the resulting value in step 104 is the Trust ID value ultimately to be written to the desired location, for example TPM.
  • FIG. 11 illustrates a sample Trust ID creation and provisioning process. The system boots using a local Provisioning Tool to measure the SCoT and DCoT values in step 111, obtains local Seed Values from the device in step 112. The list that the local Provisioning Tool provides includes, inter alia, the actual Device-specific Seed Values for such types of Seed Values initially chosen by the User. The Provisioning Tool sends all these results to the TConfig, in this case configured as a module of TCS, and requests a Trust ID in step 113. The TCS via TConfig remotely creates the unique, device-specific Trust ID and sends it in step 114 to the requesting Provisioning Tool, which stores the Trust ID value in NVRAM in step 115. To calculate the Trust ID, TConfig obtains the previously stored Seed Value Configuration from the Database, determines a Sequence, calculates the unique hardware- and user-specific Trust ID, returns the Trust ID to the local Provisioning Tool, and associates the Sequence to the Seed Values Configuration in the Database. Upon receiving the Trust ID, the Provision Tool stores the Trust ID on the subject device as part of the standard process for provisioning such a device for use.
  • FIG. 12 illustrates a sample of the data flow for creating a Trust ID from Seed Values. The system boots using a local Provisioning Tool and obtains and transmits a full list of device values in step 121, which are not previously known to the User or TConfig. TConfig obtains the pre-existing User configuration of required seed values in step 122, which is not previously known to Provisioning Tool or TConfig. TConfig assembles the list of required seed values in step 123, chooses a sequence for encoding them in step 124 (not known to the User or Provisioning Tool), calculates the Trust ID in step 125 and delivers the Trust ID to the Provisioning Tool. TConfig associates the chosen sequence with the User configuration, but stores it separately in a TConfig Database (DB) in step 126. The Provisioning Tool stores the Trust ID in step 127.
  • FIG. 13 illustrates a sample how to recalculate and verify a Trust ID. In this embodiment, TCS obtains SCoT and DCoT Measurements, Trust ID, and local Seed Values from the specific device in step 131 in response to a request, a random event or predetermined schedule as part of the normal process described with respect to FIG. 6, and the Remote Attestation Mechanism reports the TCoT values to the TCS, including Trust ID, Seed Values (see FIG. 8). At that time, TConfig recalculates the Trust ID using the currently reported hardware-specific Seed Values, together with the user-specific values and the Sequence stored in the Database The OS or Hypervisor reports other local Seed Values to the TCS in step 132. The TCS DB provides User defined formula and remote Seed Values in step 133. In step 134, TCS calculates fresh Trust ID based on the User defined formula for the reporting device, using Extend Function if necessary, and compares Expected Trust ID with the Reported Trust ID from the reporting device (see FIG. 14). In step 135, based on whether or not there is a match, TCS Alerts Subscribers to the results according to the chosen policies. In step 136, TCS logs the results for audit reporting.
  • FIG. 14 illustrates a sample of verifying a Trust ID from Seed Values. TCS for the platform System via the Remote Attestation Mechanism and OS/Hypervisor obtains in step 141 SCoT and DCoT Measurements, Trust ID, and local Seed Values from the specific device, which are not previously known to the User or TConfig. TConfig obtains in step 142 the pre-existing User configuration of required seed values, which are not previously known to the OS/hypervisor or TConfig. TConfig assembles a list of required seed values in step 143, retrieves in step 144 the encoding sequence from its database (not known to the User or the OS/hypervisor), calculates in step 145 the Trust ID, and compares it in step 146 to the stored Trust ID retrieved from the device. TConfig creates in step 147 an appropriate message with the result, and saves the result in its database in step 148.
  • If the resulting Trust ID matches the reported Trust ID, then implicitly all of the original device-specific Seed Values from the device and the User-specific Seed Values from the Database must match, and, furthermore, the Trust ID was created using the Sequence stored in the Database. If the resulting Trust ID does not match the reported Trust ID, then at least one Seed Value has changed or an incorrect Trust ID has been provisioned on the subject device, either of which implicitly breach the trust of the subject device.
  • FIG. 15 illustrates a sample of using a Trust ID for hardware-based Attestation. In step 151, the TCS generates and stores the Trust ID value and includes the required whitelist values as Seed Values (see FIG. 12). In step 152, it recalculates and verifies the Trust ID based on User-defined encoding formula. In step 153, it determines if the expected Trust ID matches the reported Trust ID, then that means that the whitelist values must be present on the remote device. In step 154, it orchestrates alerts and/or policy events based on the result. Advantages of embedding the whitelist value in the Trust ID include: if the Trust ID recalculates, then Attestation is automatic; the expected whitelist value is stored BEFORE the OS/hypervisor takes control of the TPM; Attestation occurs independent of any external software-only AS; whitelist changes (updated, corrupted or altered) do not impact attestation of the individual device; in the case of a Trust ID mismatch, the Trust ID provides additional evidence as to the source, nature and timeline of the cause; and it is not limited to servers or TXT implementations.
  • FIG. 16 illustrates a sample of using a Trust ID with Geotagging. In step 161, the geotag value for the trusted computing pool is used to generate and store the Trust ID. In step 162, TCS recalculates and verifies the Trust ID based on the User-defined chosen formula (see FIG. 13). In step 163, the Trust ID can be decoded to reveal the common geotag value. In step 164, the TCS orchestrates alerts and policy events based on the result. Advantages of having the unique Trust ID include the common geotag value include: the unique, device-specific Trust ID value reduces the chance of spoofing; in converged infrastructure deployments, each individual blade server has an unique Trust ID; it is not limited to servers or TXT implementations; in the case of a Trust ID mismatch, the Trust ID provides additional evidence as to the source, nature and timeline of the cause; it can be combined with other Seed Values; and it is not limited to servers or TXT implementations
  • FIG. 17 summarizes the overall architecture of the Trust Control Suite as used for security in virtualized environments in cloud computing. The Trust Control Suite administered by TCS Admin acts as an intermediary in cloud computing between the computing infrastructure platforms of subscribing Customers 1, 2, 3, etc. and their respective shared-workload applications C1, C2, C3, etc. that are delivered. The Trust Control Suite has a Management Module and Customer Instances that includes a TMQ interface VH1, VH2, VH3, etc. for each Customer platform.
  • It is understood that many modifications and variations may be devised given the above description of the principles of the invention. It is intended that all such modifications and variations be considered as within the spirit and scope of this invention, as defined in the following claims. For example, a Trust ID can include other Trust IDs as Seed Values, and can serve as multiple Attestation points. Furthermore, the Trust ID can be used in systems to provide additional evidence as to the source, nature and timeline of the cause of a breach of trust.

Claims (20)

1. An integrity verification management method for security of communications among a local attestation service computer and a plurality of remote computer information technology (IT) machines to be identified in a trusted computing group on a computer network, comprising:
generating at a local attestation service computer a unique encoded alphanumeric value (Trust ID value) by combining a set of alphanumeric values defined by a user of a target remote IT machine, including hardware-specific seed values that are uniquely and unchangeably associated with specific physical hardware embodied with the target remote IT machine, using a Trust ID encoding algorithm during a target IT machine validation procedure to uniquely identify the target remote IT machine as being in the trusted computing group of said plurality of remote IT machines;
storing the locally generated Trust ID value associated with the specific physical hardware for the target remote IT machine in a secure memory storage of the target remote IT machine;
locally storing in the local attestation service computer the user-defined alphanumeric values associated with the target remote IT machine together with a list of types of hardware-specific seed values associated with the specific physical hardware embodied with the target remote IT machine; and
performing, at the attestation service computer locally and independently from the target remote IT machine, a local attestation procedure via a trust control application program of the attestation service computer for computing a Trust ID value by (1) requesting for retrieval from the target remote IT machine the stored original Trust ID value and the hardware-specific seed values of the stored list of types associated with specific physical hardware embodied with the target remote IT machine, and (2) combining the locally-stored user-defined alphanumeric values with the hardware-specific seed values retrieved from the target remote IT machine and encoding a comparison Trust ID value using the same Trust ID encoding algorithm that was used to encode the original Trust ID value stored in the target remote IT machine; and
comparing at the local attestation service computer the Trust ID value encoded in the local attestation procedure with the original Trust ID value retrieved from the target remote IT machine, and upon a match, determining that the target remote IT machine is a trusted IT machine in the trusted computing group, or upon a failure to match, determining that the target remote IT machine is not a trusted IT machine in the trusted computing group, then taking an appropriate security action by the trust control application program of the local attestation service computer.
2. The integrity verification management method according to claim 1, further comprising storing the original encoded Trust ID value in a secure storage location physically associated with the hardware of the target remote IT machine.
3. The integrity verification management method according to claim 1, wherein the user-defined data includes a geolocation value associated with the physical location where the target remote IT machine is to be deployed in order to define its grouping with the trusted computing pool associated with that geolocation.
4. The integrity verificaton management method according to claim 1, wherein the hardware-specific seed values include values associated with the given version of any firmware, BIOS, ROM, or other embedded code (collectively “firmware”) present on target remote IT machine.
5. The integrity verification management method according to claim 1, wherein the creation of the original Trust ID value is carried out without the knowledge of the user of the target remote IT machine as a precaution against security penetration and spoofing.
6. The integrity verification management method according to claim 1, wherein the unique Trust ID value incorporates Seed Values selected from predetermined categories of Trust ID types.
7. The integrity verification management method according to claim 1, wherein the unique Trust ID value is generated to include a geotagging value for the trusted computing pool.
8. The integrity verification management method according to claim 1, wherein the local attestation service computer is configured to perform the local attestation procedure as part of a Trust Control Suite.
9. The integrity verification management method according to claim 8, wherein the unique Trust ID value is generated by a TConfig module of a Trust Control Suite.
10. The integrity verification management method according to claim 8, wherein the Trust Control Suite is used for ensuring security for a plurality of information technology platforms in a trusted computing pool.
11. The integrity verification management method according to claim 9, wherein the Trust Control Suite has a modular architecture having instances for respective ones of the plurality of information technology platforms in the trusted computing pool.
12. The integrity verification management method according to claim 1, wherein the Trust ID value is generated in a Trust ID validation process.
13. The integrity verification management method according to claim 1, wherein hardware-specific and user-specific Seed Values are chosen by a user of a remote IT machine during a configuration process for the remote IT machine.
14. The integrity verification management method according to claim 12, wherein the Trust ID value is generated by selecting one or more of hardware-specific Seed Values, contextual values, user-specific Seed Values, and policy values.
15. The integrity verification management method according to claim 12, wherein the Trust ID value is generated by an encoding algorithm for hash encoding and combining the hardware-specific and user-specific values in a selected sequence.
16. The integrity verification management method according to claim 1, wherein the Trust ID value is stored in the memory storage associated with the remote IT machine by a provisioning tool provided with each IT machine.
17. The integrity verification management method according to claim 1, wherein the Trust ID value is generated by recalculation to verify a previously stored Trust ID value for each IT machine.
18. The integrity verification management method according to claim 16, wherein based upon whether there is a match or mismatch of the recalculated Trust ID value with the previously stored Trust ID value, predetermined chosen alerts and policy events are orchestrated based on the result.
19. The integrity verification management method according to claim 1, wherein the Trust ID value is generated by including a geotag value common to the trusted computing group with the hardware-specific and user-specific values.
20. The integrity verification management method according to claim 18, wherein the Trust ID value is decoded to reveal the common geotag value.
US14/990,078 2013-12-27 2016-01-07 System and method for hardware-based trust control management Active US9674183B2 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US14/990,078 US9674183B2 (en) 2013-12-27 2016-01-07 System and method for hardware-based trust control management
US15/601,551 US10305893B2 (en) 2013-12-27 2017-05-22 System and method for hardware-based trust control management

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US14/142,394 US9258331B2 (en) 2013-12-27 2013-12-27 System and method for hardware-based trust control management
US14/990,078 US9674183B2 (en) 2013-12-27 2016-01-07 System and method for hardware-based trust control management

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US14/142,394 Continuation US9258331B2 (en) 2013-12-27 2013-12-27 System and method for hardware-based trust control management

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US15/601,551 Continuation-In-Part US10305893B2 (en) 2013-12-27 2017-05-22 System and method for hardware-based trust control management

Publications (2)

Publication Number Publication Date
US20160119336A1 true US20160119336A1 (en) 2016-04-28
US9674183B2 US9674183B2 (en) 2017-06-06

Family

ID=53479546

Family Applications (2)

Application Number Title Priority Date Filing Date
US14/142,394 Active 2034-04-25 US9258331B2 (en) 2013-12-27 2013-12-27 System and method for hardware-based trust control management
US14/990,078 Active US9674183B2 (en) 2013-12-27 2016-01-07 System and method for hardware-based trust control management

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US14/142,394 Active 2034-04-25 US9258331B2 (en) 2013-12-27 2013-12-27 System and method for hardware-based trust control management

Country Status (2)

Country Link
US (2) US9258331B2 (en)
WO (1) WO2015100035A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10033756B1 (en) 2017-10-26 2018-07-24 Hytrust, Inc. Methods and systems for holistically attesting the trust of heterogeneous compute resources
WO2018166708A1 (en) * 2017-03-13 2018-09-20 Siemens Aktiengesellschaft Method and device for verifying the integrity of data stored in a predetermined memory area of a memory
US10310885B2 (en) 2016-10-25 2019-06-04 Microsoft Technology Licensing, Llc Secure service hosted in a virtual security environment
US11455396B2 (en) 2017-05-12 2022-09-27 Hewlett Packard Enterprise Development Lp Using trusted platform module (TPM) emulator engines to measure firmware images

Families Citing this family (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9992024B2 (en) * 2012-01-25 2018-06-05 Fujitsu Limited Establishing a chain of trust within a virtual machine
US8949818B2 (en) * 2012-06-29 2015-02-03 Intel Corporation Mechanism for facilitating dynamic and trusted cloud-based extension upgrades for computing systems
US9331988B2 (en) 2014-03-20 2016-05-03 Oracle International Corporation System and method for provisioning secrets to an application (TA) on a device
US9520994B2 (en) 2014-03-20 2016-12-13 Oracle International Corporation System and method for deriving secrets from a master key bound to an application on a device
US10474454B2 (en) * 2014-03-20 2019-11-12 Oracle International Corporation System and method for updating a trusted application (TA) on a device
WO2016188578A1 (en) * 2015-05-28 2016-12-01 Telefonaktiebolaget Lm Ericsson (Publ) METHOD FOR ENABLING SIMULTANEOUS CONTROL OF A PLURALITY OF TPMs AND RELATED COMPONENTS
US10228924B2 (en) * 2016-04-19 2019-03-12 International Business Machines Corporation Application deployment and monitoring in a cloud environment to satisfy integrity and geo-fencing constraints
US11294084B2 (en) 2016-06-01 2022-04-05 Nokia Technologies Oy Seismic determination of location
US10218696B2 (en) * 2016-06-30 2019-02-26 Microsoft Technology Licensing, Llc Targeted secure software deployment
US10482034B2 (en) * 2016-11-29 2019-11-19 Microsoft Technology Licensing, Llc Remote attestation model for secure memory applications
WO2018119990A1 (en) * 2016-12-30 2018-07-05 刘清华 Cloud data platform key setting method
US10587586B2 (en) 2017-01-10 2020-03-10 Mocana Corporation System and method for a multi system trust chain
CN110463155B (en) 2017-02-08 2021-03-12 诺基亚通信公司 Method and device for communication and data center system
US10417431B2 (en) * 2017-03-09 2019-09-17 Dell Products L.P. Security domains for aware placement of workloads within converged infrastructure information handling systems
US20180336571A1 (en) * 2017-05-16 2018-11-22 Sap Se Data custodian portal for public clouds
US10846408B2 (en) * 2018-04-25 2020-11-24 Dell Products, L.P. Remote integrity assurance of a secured virtual environment
CN112567366A (en) * 2018-05-28 2021-03-26 加拿大皇家银行 System and method for securing an electronic trading platform
US11316692B2 (en) * 2018-08-13 2022-04-26 Ares Technologies, Inc. Systems, devices, and methods for selecting a distributed framework
US11379263B2 (en) * 2018-08-13 2022-07-05 Ares Technologies, Inc. Systems, devices, and methods for selecting a distributed framework
US11381404B2 (en) * 2018-11-09 2022-07-05 Microsoft Technology Licensing, Llc Trusted platform module attestation flow over simple authentication and security layer with multiple symmetric key identification
US11595217B2 (en) 2018-12-06 2023-02-28 Digicert, Inc. System and method for zero touch provisioning of IoT devices
US11792197B1 (en) * 2019-02-15 2023-10-17 DataVisor, Inc. Detecting malicious user accounts of an online service using major-key-shared-based correlation
US10735205B1 (en) * 2019-03-08 2020-08-04 Ares Technologies, Inc. Methods and systems for implementing an anonymized attestation chain
US11586738B2 (en) * 2020-12-03 2023-02-21 Dell Products, L.P. Systems and methods for evaluating security risks using a manufacturer-signed software identification manifest
CN115237495A (en) * 2021-02-09 2022-10-25 支付宝(杭州)信息技术有限公司 Method and device for starting application program on target platform

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050138393A1 (en) * 2003-12-22 2005-06-23 Challener David C. Determining user security level using trusted hardware device
US20050210467A1 (en) * 2004-03-18 2005-09-22 Zimmer Vincent J Sharing trusted hardware across multiple operational environments
US20090287921A1 (en) * 2008-05-16 2009-11-19 Microsoft Corporation Mobile device assisted secure computer network communication
US20100306107A1 (en) * 2009-05-29 2010-12-02 Ebay Inc. Trusted remote attestation agent (traa)
US20110078775A1 (en) * 2009-09-30 2011-03-31 Nokia Corporation Method and apparatus for providing credibility information over an ad-hoc network
US7941379B1 (en) * 2009-06-25 2011-05-10 Symantec Corporation Systems and methods for using geo-location information in sensitive internet transactions
US8065714B2 (en) * 2008-09-12 2011-11-22 Hytrust, Inc. Methods and systems for securely managing virtualization platform
US20120151223A1 (en) * 2010-09-20 2012-06-14 Conde Marques Ricardo Nuno De Pinho Coelho Method for securing a computing device with a trusted platform module-tpm
US20120179916A1 (en) * 2010-08-18 2012-07-12 Matt Staker Systems and methods for securing virtual machine computing environments
US20130047197A1 (en) * 2011-08-19 2013-02-21 Microsoft Corporation Sealing secret data with a policy that includes a sensor-based constraint
US20130198797A1 (en) * 2012-01-30 2013-08-01 Yeluri Raghuram Remote trust attestation and geo-location of servers and clients in cloud computing environments
US8595483B2 (en) * 2006-06-26 2013-11-26 Intel Corporation Associating a multi-context trusted platform module with distributed platforms
US20130347058A1 (en) * 2012-06-22 2013-12-26 Ned M. Smith Providing Geographic Protection To A System
US20150200934A1 (en) * 2010-06-30 2015-07-16 Google Inc. Computing device integrity verification

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7526654B2 (en) * 2001-10-16 2009-04-28 Marc Charbonneau Method and system for detecting a secure state of a computer system
WO2008046101A2 (en) 2006-10-13 2008-04-17 Ariel Silverstone Client authentication and data management system
US8166552B2 (en) 2008-09-12 2012-04-24 Hytrust, Inc. Adaptive configuration management system
US20100106693A1 (en) 2008-10-23 2010-04-29 Wachovia Corporation Image appliance system and method
US8336079B2 (en) 2008-12-31 2012-12-18 Hytrust, Inc. Intelligent security control system for virtualized ecosystems
CN102428686A (en) 2009-05-19 2012-04-25 安全第一公司 Systems and methods for securing data in the cloud
CN102754116B (en) 2010-01-19 2016-08-03 维萨国际服务协会 Transaction authentication based on token
US20120124659A1 (en) 2010-11-17 2012-05-17 Michael Craft System and Method for Providing Diverse Secure Data Communication Permissions to Trusted Applications on a Portable Communication Device
US20120254949A1 (en) 2011-03-31 2012-10-04 Nokia Corporation Method and apparatus for generating unique identifier values for applications and services

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050138393A1 (en) * 2003-12-22 2005-06-23 Challener David C. Determining user security level using trusted hardware device
US20050210467A1 (en) * 2004-03-18 2005-09-22 Zimmer Vincent J Sharing trusted hardware across multiple operational environments
US8595483B2 (en) * 2006-06-26 2013-11-26 Intel Corporation Associating a multi-context trusted platform module with distributed platforms
US20090287921A1 (en) * 2008-05-16 2009-11-19 Microsoft Corporation Mobile device assisted secure computer network communication
US8065714B2 (en) * 2008-09-12 2011-11-22 Hytrust, Inc. Methods and systems for securely managing virtualization platform
US20100306107A1 (en) * 2009-05-29 2010-12-02 Ebay Inc. Trusted remote attestation agent (traa)
US7941379B1 (en) * 2009-06-25 2011-05-10 Symantec Corporation Systems and methods for using geo-location information in sensitive internet transactions
US20110078775A1 (en) * 2009-09-30 2011-03-31 Nokia Corporation Method and apparatus for providing credibility information over an ad-hoc network
US20150200934A1 (en) * 2010-06-30 2015-07-16 Google Inc. Computing device integrity verification
US20120179916A1 (en) * 2010-08-18 2012-07-12 Matt Staker Systems and methods for securing virtual machine computing environments
US20120151223A1 (en) * 2010-09-20 2012-06-14 Conde Marques Ricardo Nuno De Pinho Coelho Method for securing a computing device with a trusted platform module-tpm
US20130047197A1 (en) * 2011-08-19 2013-02-21 Microsoft Corporation Sealing secret data with a policy that includes a sensor-based constraint
US20130198797A1 (en) * 2012-01-30 2013-08-01 Yeluri Raghuram Remote trust attestation and geo-location of servers and clients in cloud computing environments
US20130347058A1 (en) * 2012-06-22 2013-12-26 Ned M. Smith Providing Geographic Protection To A System

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10310885B2 (en) 2016-10-25 2019-06-04 Microsoft Technology Licensing, Llc Secure service hosted in a virtual security environment
WO2018166708A1 (en) * 2017-03-13 2018-09-20 Siemens Aktiengesellschaft Method and device for verifying the integrity of data stored in a predetermined memory area of a memory
US11455396B2 (en) 2017-05-12 2022-09-27 Hewlett Packard Enterprise Development Lp Using trusted platform module (TPM) emulator engines to measure firmware images
US10033756B1 (en) 2017-10-26 2018-07-24 Hytrust, Inc. Methods and systems for holistically attesting the trust of heterogeneous compute resources
EP3477524A1 (en) * 2017-10-26 2019-05-01 Hytrust, Inc. Methods and systems for holistically attesting the trust of heterogeneous compute resources

Also Published As

Publication number Publication date
US20150188944A1 (en) 2015-07-02
US9258331B2 (en) 2016-02-09
WO2015100035A1 (en) 2015-07-02
US9674183B2 (en) 2017-06-06

Similar Documents

Publication Publication Date Title
US9674183B2 (en) System and method for hardware-based trust control management
US10305893B2 (en) System and method for hardware-based trust control management
De Benedictis et al. Integrity verification of Docker containers for a lightweight cloud environment
CN109792386B (en) Method and apparatus for trusted computing
US20180287780A1 (en) Blockchain verification of network security service
US9509720B2 (en) Techniques for improved run time trustworthiness
US9015845B2 (en) Transit control for data
KR101791768B1 (en) Configuration and verification by trusted provider
US8572692B2 (en) Method and system for a platform-based trust verifying service for multi-party verification
US20170300309A1 (en) Application deployment and monitoring in a cloud environment to satisfy integrity and geo-fencing constraints
US9754116B1 (en) Web services in secure execution environments
US20130185564A1 (en) Systems and methods for multi-layered authentication/verification of trusted platform updates
US20200117439A1 (en) Systems and Methods for Reinforced Update Package Authenticity
US9449171B2 (en) Methods, systems, and computer readable mediums for providing supply chain validation
De Benedictis et al. A proposal for trust monitoring in a Network Functions Virtualisation Infrastructure
US10984108B2 (en) Trusted computing attestation of system validation state
Bartock et al. Trusted geolocation in the cloud: Proof of concept implementation
US11768948B1 (en) Enclave-based cryptography services in edge computing environments
US20210334380A1 (en) Trusted firmware verification
Banks et al. Trusted geolocation in the cloud: Proof of concept implementation (Draft)
US20200174995A1 (en) Measurement Update Method, Apparatus, System, Storage Media, and Computing Device
Sisinni Verification of Software Integrity in Distributed Systems
Paladi Trusted computing and secure virtualization in cloud computing
US20230289451A1 (en) Secure device validator ledger
US20230106491A1 (en) Security dominion of computing device

Legal Events

Date Code Title Description
FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2551); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

Year of fee payment: 4